UPDATE–Oracle, never the most researcher-friendly software vendor, has taken its antagonism to another level after publishing a blog post by CSO Mary Ann Davidson that rails against reverse engineering and saying that the company has no need for researchers to look at Oracle’s code for vulnerabilities because “it’s our job to do that, we are pretty good at it”.
The post, which was removed early Tuesday morning, is still available in an archived form and is a long, rambling explanation of Davidson’s views about the practice of customers and researchers reverse engineering Oracle’s code. Davidson, who has been at Oracle for more than 25 years, said in the post that reverse engineering violates Oracle’s license agreement and that the company regularly sends letters to customers and consultants who it believes have violated the EULA. She also said that even when researchers try to report a security vulnerability in an Oracle product, the company often takes issue with how the bug was found and won’t credit researchers.
“I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time,” Davidson said in the post.
“However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the license agreement.'”
Oracle is well-known in the security research community for being difficult to deal with, if not down right hostile. Davidson has spoken out in the past about not having much use for external researchers, and in the deleted post she said that virtually all of the vulnerabilities found in Oracle products are found internally, so rewarding outside researchers with credit or bug bounties is pointless.
“Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers,” Davidson said in the post.
A statement sent by Oracle PR said that the company removed the post because it didn’t fit with the company’s relationship with customers.
“The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers,” said Edward Screven, Executive Vice President and Chief Corporate Architect, at Oracle.
The reaction from the security community to Davidson’s post, and its subsequent removal, was swift and ugly. Many researchers who have had difficult interactions with Oracle in the past said they weren’t surprised by the post, and others pointed out that Davidson’s post seems to seek a return to the time when vendors were openly hostile to researchers and wanted no part of bug reports.
Application security is an enormous software supply chain issue for both enterprises and software vendors because we all rely on software provided by others. Vendors need to be responsive to their customers’ valid requests for assurance, and to security researchers who are trying to make the software we all consume better,” Chris Wysopal, CTO and CISO at Veracode, said.
“Leaders in the industry – Google, Apple, Microsoft, Adobe – all encourage third-party code audits and bug bounty programs as a valuable extension of their own security processes. Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security.”
Wysopal said in an interview that the views Davidson expressed in the post are the opposite of the way the security community and vendors have been moving for years.
“The community has been moving more to embrace bug reports and there’s more of that activity going on than ever before, at places like Tesla and United. She’s really sailing against the tide here,” he said.
“We will engage with the vendor on the things she mentioned, like understanding that there are mitigating factors that could prevent a bug from being exploited. She doesn’t want to engage at all in the process. She just says no, no, no, we have it covered. Our customers don’t believe that and I don’t think most of the community believes it either.”
There could be a positive outcome from all this, however.
“They can’t be the only outlier on this and not engage the community. I’m hopeful that this whole thing will lead to a turnaround,” Wysopal said.
This story was updated on Aug. 8 to add the comments from Wysopal.